Mercurial > hg > CbC > CbC_llvm

comparison lib/FuzzMutate/Operations.cpp @ 121:803732b1fca8

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
LLVM 5.0
author kono
date Fri, 27 Oct 2017 17:07:41 +0900
parents
children 3a76565eade5
comparison
equal deleted inserted replaced
120:1172e4bd9c6f 121:803732b1fca8
1 //===-- Operations.cpp ----------------------------------------------------===//
2 //
3 // The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9
10 #include "llvm/FuzzMutate/Operations.h"
11 #include "llvm/IR/BasicBlock.h"
12 #include "llvm/IR/Constants.h"
13 #include "llvm/IR/Function.h"
14 #include "llvm/IR/Instructions.h"
15
16 using namespace llvm;
17 using namespace fuzzerop;
18
19 void llvm::describeFuzzerIntOps(std::vector<fuzzerop::OpDescriptor> &Ops) {
20 Ops.push_back(binOpDescriptor(1, Instruction::Add));
21 Ops.push_back(binOpDescriptor(1, Instruction::Sub));
22 Ops.push_back(binOpDescriptor(1, Instruction::Mul));
23 Ops.push_back(binOpDescriptor(1, Instruction::SDiv));
24 Ops.push_back(binOpDescriptor(1, Instruction::UDiv));
25 Ops.push_back(binOpDescriptor(1, Instruction::SRem));
26 Ops.push_back(binOpDescriptor(1, Instruction::URem));
27 Ops.push_back(binOpDescriptor(1, Instruction::Shl));
28 Ops.push_back(binOpDescriptor(1, Instruction::LShr));
29 Ops.push_back(binOpDescriptor(1, Instruction::AShr));
30 Ops.push_back(binOpDescriptor(1, Instruction::And));
31 Ops.push_back(binOpDescriptor(1, Instruction::Or));
32 Ops.push_back(binOpDescriptor(1, Instruction::Xor));
33
34 Ops.push_back(cmpOpDescriptor(1, Instruction::ICmp, CmpInst::ICMP_EQ));
35 Ops.push_back(cmpOpDescriptor(1, Instruction::ICmp, CmpInst::ICMP_NE));
36 Ops.push_back(cmpOpDescriptor(1, Instruction::ICmp, CmpInst::ICMP_UGT));
37 Ops.push_back(cmpOpDescriptor(1, Instruction::ICmp, CmpInst::ICMP_UGE));
38 Ops.push_back(cmpOpDescriptor(1, Instruction::ICmp, CmpInst::ICMP_ULT));
39 Ops.push_back(cmpOpDescriptor(1, Instruction::ICmp, CmpInst::ICMP_ULE));
40 Ops.push_back(cmpOpDescriptor(1, Instruction::ICmp, CmpInst::ICMP_SGT));
41 Ops.push_back(cmpOpDescriptor(1, Instruction::ICmp, CmpInst::ICMP_SGE));
42 Ops.push_back(cmpOpDescriptor(1, Instruction::ICmp, CmpInst::ICMP_SLT));
43 Ops.push_back(cmpOpDescriptor(1, Instruction::ICmp, CmpInst::ICMP_SLE));
44 }
45
46 void llvm::describeFuzzerFloatOps(std::vector<fuzzerop::OpDescriptor> &Ops) {
47 Ops.push_back(binOpDescriptor(1, Instruction::FAdd));
48 Ops.push_back(binOpDescriptor(1, Instruction::FSub));
49 Ops.push_back(binOpDescriptor(1, Instruction::FMul));
50 Ops.push_back(binOpDescriptor(1, Instruction::FDiv));
51 Ops.push_back(binOpDescriptor(1, Instruction::FRem));
52
53 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_FALSE));
54 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_OEQ));
55 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_OGT));
56 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_OGE));
57 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_OLT));
58 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_OLE));
59 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_ONE));
60 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_ORD));
61 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_UNO));
62 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_UEQ));
63 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_UGT));
64 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_UGE));
65 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_ULT));
66 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_ULE));
67 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_UNE));
68 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_TRUE));
69 }
70
71 void llvm::describeFuzzerControlFlowOps(
72 std::vector<fuzzerop::OpDescriptor> &Ops) {
73 Ops.push_back(splitBlockDescriptor(1));
74 }
75
76 void llvm::describeFuzzerPointerOps(std::vector<fuzzerop::OpDescriptor> &Ops) {
77 Ops.push_back(gepDescriptor(1));
78 }
79
80 void llvm::describeFuzzerAggregateOps(
81 std::vector<fuzzerop::OpDescriptor> &Ops) {
82 Ops.push_back(extractValueDescriptor(1));
83 Ops.push_back(insertValueDescriptor(1));
84 }
85
86 void llvm::describeFuzzerVectorOps(std::vector<fuzzerop::OpDescriptor> &Ops) {
87 Ops.push_back(extractElementDescriptor(1));
88 Ops.push_back(insertElementDescriptor(1));
89 Ops.push_back(shuffleVectorDescriptor(1));
90 }
91
92 OpDescriptor llvm::fuzzerop::binOpDescriptor(unsigned Weight,
93 Instruction::BinaryOps Op) {
94 auto buildOp = [Op](ArrayRef<Value *> Srcs, Instruction *Inst) {
95 return BinaryOperator::Create(Op, Srcs[0], Srcs[1], "B", Inst);
96 };
97 switch (Op) {
98 case Instruction::Add:
99 case Instruction::Sub:
100 case Instruction::Mul:
101 case Instruction::SDiv:
102 case Instruction::UDiv:
103 case Instruction::SRem:
104 case Instruction::URem:
105 case Instruction::Shl:
106 case Instruction::LShr:
107 case Instruction::AShr:
108 case Instruction::And:
109 case Instruction::Or:
110 case Instruction::Xor:
111 return {Weight, {anyIntType(), matchFirstType()}, buildOp};
112 case Instruction::FAdd:
113 case Instruction::FSub:
114 case Instruction::FMul:
115 case Instruction::FDiv:
116 case Instruction::FRem:
117 return {Weight, {anyFloatType(), matchFirstType()}, buildOp};
118 case Instruction::BinaryOpsEnd:
119 llvm_unreachable("Value out of range of enum");
120 }
121 llvm_unreachable("Covered switch");
122 }
123
124 OpDescriptor llvm::fuzzerop::cmpOpDescriptor(unsigned Weight,
125 Instruction::OtherOps CmpOp,
126 CmpInst::Predicate Pred) {
127 auto buildOp = [CmpOp, Pred](ArrayRef<Value *> Srcs, Instruction *Inst) {
128 return CmpInst::Create(CmpOp, Pred, Srcs[0], Srcs[1], "C", Inst);
129 };
130
131 switch (CmpOp) {
132 case Instruction::ICmp:
133 return {Weight, {anyIntType(), matchFirstType()}, buildOp};
134 case Instruction::FCmp:
135 return {Weight, {anyFloatType(), matchFirstType()}, buildOp};
136 default:
137 llvm_unreachable("CmpOp must be ICmp or FCmp");
138 }
139 }
140
141 OpDescriptor llvm::fuzzerop::splitBlockDescriptor(unsigned Weight) {
142 auto buildSplitBlock = [](ArrayRef<Value *> Srcs, Instruction *Inst) {
143 BasicBlock *Block = Inst->getParent();
144 BasicBlock *Next = Block->splitBasicBlock(Inst, "BB");
145 if (Block != &Block->getParent()->getEntryBlock()) {
146 // Loop back on this block by replacing the unconditional forward branch
147 // with a conditional with a backedge.
148 BranchInst::Create(Block, Next, Srcs[0], Block->getTerminator());
149 Block->getTerminator()->eraseFromParent();
150
151 // We need values for each phi in the block. Since there isn't a good way
152 // to do a variable number of input values currently, we just fill them
153 // with undef.
154 for (PHINode &PHI : Block->phis())
155 PHI.addIncoming(UndefValue::get(PHI.getType()), Block);
156 }
157 return nullptr;
158 };
159 SourcePred isInt1Ty{[](ArrayRef<Value *>, const Value *V) {
160 return V->getType()->isIntegerTy(1);
161 },
162 None};
163 return {Weight, {isInt1Ty}, buildSplitBlock};
164 }
165
166 OpDescriptor llvm::fuzzerop::gepDescriptor(unsigned Weight) {
167 auto buildGEP = [](ArrayRef<Value *> Srcs, Instruction *Inst) {
168 Type *Ty = cast<PointerType>(Srcs[0]->getType())->getElementType();
169 auto Indices = makeArrayRef(Srcs).drop_front(1);
170 return GetElementPtrInst::Create(Ty, Srcs[0], Indices, "G", Inst);
171 };
172 // TODO: Handle aggregates and vectors
173 // TODO: Support multiple indices.
174 // TODO: Try to avoid meaningless accesses.
175 return {Weight, {anyPtrType(), anyIntType()}, buildGEP};
176 }
177
178 static uint64_t getAggregateNumElements(Type *T) {
179 assert(T->isAggregateType() && "Not a struct or array");
180 if (isa<StructType>(T))
181 return T->getStructNumElements();
182 return T->getArrayNumElements();
183 }
184
185 static SourcePred validExtractValueIndex() {
186 auto Pred = [](ArrayRef<Value *> Cur, const Value *V) {
187 if (auto *CI = dyn_cast<ConstantInt>(V))
188 if (!CI->uge(getAggregateNumElements(Cur[0]->getType())))
189 return true;
190 return false;
191 };
192 auto Make = [](ArrayRef<Value *> Cur, ArrayRef<Type *> Ts) {
193 std::vector<Constant *> Result;
194 auto *Int32Ty = Type::getInt32Ty(Cur[0]->getContext());
195 uint64_t N = getAggregateNumElements(Cur[0]->getType());
196 // Create indices at the start, end, and middle, but avoid dups.
197 Result.push_back(ConstantInt::get(Int32Ty, 0));
198 if (N > 1)
199 Result.push_back(ConstantInt::get(Int32Ty, N - 1));
200 if (N > 2)
201 Result.push_back(ConstantInt::get(Int32Ty, N / 2));
202 return Result;
203 };
204 return {Pred, Make};
205 }
206
207 OpDescriptor llvm::fuzzerop::extractValueDescriptor(unsigned Weight) {
208 auto buildExtract = [](ArrayRef<Value *> Srcs, Instruction *Inst) {
209 // TODO: It's pretty inefficient to shuffle this all through constants.
210 unsigned Idx = cast<ConstantInt>(Srcs[1])->getZExtValue();
211 return ExtractValueInst::Create(Srcs[0], {Idx}, "E", Inst);
212 };
213 // TODO: Should we handle multiple indices?
214 return {Weight, {anyAggregateType(), validExtractValueIndex()}, buildExtract};
215 }
216
217 static SourcePred matchScalarInAggregate() {
218 auto Pred = [](ArrayRef<Value *> Cur, const Value *V) {
219 if (isa<ArrayType>(Cur[0]->getType()))
220 return V->getType() == Cur[0]->getType();
221 auto *STy = cast<StructType>(Cur[0]->getType());
222 for (int I = 0, E = STy->getNumElements(); I < E; ++I)
223 if (STy->getTypeAtIndex(I) == V->getType())
224 return true;
225 return false;
226 };
227 auto Make = [](ArrayRef<Value *> Cur, ArrayRef<Type *>) {
228 if (isa<ArrayType>(Cur[0]->getType()))
229 return makeConstantsWithType(Cur[0]->getType());
230 std::vector<Constant *> Result;
231 auto *STy = cast<StructType>(Cur[0]->getType());
232 for (int I = 0, E = STy->getNumElements(); I < E; ++I)
233 makeConstantsWithType(STy->getTypeAtIndex(I), Result);
234 return Result;
235 };
236 return {Pred, Make};
237 }
238
239 static SourcePred validInsertValueIndex() {
240 auto Pred = [](ArrayRef<Value *> Cur, const Value *V) {
241 auto *CTy = cast<CompositeType>(Cur[0]->getType());
242 if (auto *CI = dyn_cast<ConstantInt>(V))
243 if (CI->getBitWidth() == 32)
244 if (CTy->getTypeAtIndex(CI->getZExtValue()) == V->getType())
245 return true;
246 return false;
247 };
248 auto Make = [](ArrayRef<Value *> Cur, ArrayRef<Type *> Ts) {
249 std::vector<Constant *> Result;
250 auto *Int32Ty = Type::getInt32Ty(Cur[0]->getContext());
251 auto *CTy = cast<CompositeType>(Cur[0]->getType());
252 for (int I = 0, E = getAggregateNumElements(CTy); I < E; ++I)
253 if (CTy->getTypeAtIndex(I) == Cur[1]->getType())
254 Result.push_back(ConstantInt::get(Int32Ty, I));
255 return Result;
256 };
257 return {Pred, Make};
258 }
259
260 OpDescriptor llvm::fuzzerop::insertValueDescriptor(unsigned Weight) {
261 auto buildInsert = [](ArrayRef<Value *> Srcs, Instruction *Inst) {
262 // TODO: It's pretty inefficient to shuffle this all through constants.
263 unsigned Idx = cast<ConstantInt>(Srcs[2])->getZExtValue();
264 return InsertValueInst::Create(Srcs[0], Srcs[1], {Idx}, "I", Inst);
265 };
266 return {
267 Weight,
268 {anyAggregateType(), matchScalarInAggregate(), validInsertValueIndex()},
269 buildInsert};
270 }
271
272 OpDescriptor llvm::fuzzerop::extractElementDescriptor(unsigned Weight) {
273 auto buildExtract = [](ArrayRef<Value *> Srcs, Instruction *Inst) {
274 return ExtractElementInst::Create(Srcs[0], Srcs[1], "E", Inst);
275 };
276 // TODO: Try to avoid undefined accesses.
277 return {Weight, {anyVectorType(), anyIntType()}, buildExtract};
278 }
279
280 OpDescriptor llvm::fuzzerop::insertElementDescriptor(unsigned Weight) {
281 auto buildInsert = [](ArrayRef<Value *> Srcs, Instruction *Inst) {
282 return InsertElementInst::Create(Srcs[0], Srcs[1], Srcs[2], "I", Inst);
283 };
284 // TODO: Try to avoid undefined accesses.
285 return {Weight,
286 {anyVectorType(), matchScalarOfFirstType(), anyIntType()},
287 buildInsert};
288 }
289
290 static SourcePred validShuffleVectorIndex() {
291 auto Pred = [](ArrayRef<Value *> Cur, const Value *V) {
292 return ShuffleVectorInst::isValidOperands(Cur[0], Cur[1], V);
293 };
294 auto Make = [](ArrayRef<Value *> Cur, ArrayRef<Type *> Ts) {
295 auto *FirstTy = cast<VectorType>(Cur[0]->getType());
296 auto *Int32Ty = Type::getInt32Ty(Cur[0]->getContext());
297 // TODO: It's straighforward to make up reasonable values, but listing them
298 // exhaustively would be insane. Come up with a couple of sensible ones.
299 return std::vector<Constant *>{
300 UndefValue::get(VectorType::get(Int32Ty, FirstTy->getNumElements()))};
301 };
302 return {Pred, Make};
303 }
304
305 OpDescriptor llvm::fuzzerop::shuffleVectorDescriptor(unsigned Weight) {
306 auto buildShuffle = [](ArrayRef<Value *> Srcs, Instruction *Inst) {
307 return new ShuffleVectorInst(Srcs[0], Srcs[1], Srcs[2], "S", Inst);
308 };
309 return {Weight,
310 {anyVectorType(), matchFirstType(), validShuffleVectorIndex()},
311 buildShuffle};
312 }